a7c1f86f505e55bec1323327c159ff3ecbdc37b847f26aed4ee28b9fecba5742

General

Target

77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe
Size

332KB
MD5

77709ccfdd8b04d98eee33db53d68e51
SHA1

c72f56c1330704aae591ca7e029399a6aaf6036f
SHA256

a7c1f86f505e55bec1323327c159ff3ecbdc37b847f26aed4ee28b9fecba5742
SHA512

b1e6fd8a6a568eadbb9f53de3785f44ac0b559dfa6be6b1b3ae3b14db70f35f2c69742ae0647a3010779238ea48d1bdd78cc953deab229f760c5c27348ebc949
SSDEEP

3072:UubHlt9Q/K0+Z3DEsmaey0WmPDL4VhBjnMvHlGDu2e9cMFGYhzFfqZVuoKMuu:DH7E4eF23IvHlouxcAG42uZ3

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe

description pid process target process

PID 3000 set thread context of 2212 3000 77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1944 2212 WerFault.exe svchost.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe:Zone.Identifier cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3000 77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe

description	pid	process	target process
PID 3000 set thread context of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe

pid	pid_target	process	target process
1944	2212	WerFault.exe	svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe:Zone.Identifier	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	svchost.exe
PID 2212 wrote to memory of 1944	2212	svchost.exe	WerFault.exe
PID 2212 wrote to memory of 1944	2212	svchost.exe	WerFault.exe
PID 2212 wrote to memory of 1944	2212	svchost.exe	WerFault.exe
PID 2212 wrote to memory of 1944	2212	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:2756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 164
3⤵
- Program crash
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3000-5-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-4-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3000-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-6-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-1-0x0000000000860000-0x00000000008BA000-memory.dmp

Filesize
360KB

Download
memory/3000-3-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/3000-22-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing